Magento Forum

   
PHP injection vulnerability
 
Gavin Hall
Jr. Member
 
Avatar
Total Posts:  18
Joined:  2008-01-18
 

Yesterday two of my demo URLs were attacked by a PHP injection attack. Both sites were the latest version of Magento with basic installation and configuration and are hosted on the MediaTemple grid. All account passwords are tricky to guess so would be hard to auto generate.

The attack inserted affiliate links into my root index.php file and compromised my .htaccess.

In the index.php file this code was inserted after the Mage::run(); tag:

<!--yje35zfv8SU--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href="http://www.buyandownloads.com/best-soft-list/best-soft-Autodesk_3ds_Max_8.html">3DS Max 8 OEM</a><a href="http://www.buyandownloads.com/best-soft-list/best-soft-3Q_3GP_Video_Converter_2.1.html">3Q 3GP Video Converter</a><a href="http://www.buyandownloads.com/best-soft-list/best-soft-ACDSee_Photo_Manager_2009_11.0.html">download acdsee manager 2009 oem</a><a href="http://www.buyandownloads.com/best-soft-list/best-soft-Red_Eye_Remover_Pro_1.1.html">red eye remover pro 1.2</a><a href="http://www.soft4vista.com/">cheapest windows vista</a><a href="http://www.soft4vista.com">cheapest windows vista ultimate</a><a href="http://www.soft4vista.com/">cheap AutoCAD 2009</a><a href="http://www.soft4vista.com">Vision Backup Enterprise</a><a href="http://www.soft4vista.com">cheap Macromedia ColdFusion</a><a href="http://softwaremotion.com">nero photoshow 5 download</a><a href="http://softwaremotion.com">adobe photoshop cs oem</a><a href="http://buycheapdownload.com/only-soft-Macromedia-Coldfusion-Mx-7.0-Standard.php">coldfusion mx 7 download</a><a href="http://www.pharmacy-buyer.com/">order Brand Kamagra</a><a href="http://pharmacy-buyer.com/buy_brand_caverta_de.html?PHPSESSID=134eee805a391300621fe67670f48c61">order Brand Caverta</a><a href="http://www.pharmacy-buyer.com/">pharmacybuyer.com</a><a href="http://www.pharmacy-buyer.com/">xlpharmacy.com</a><a href="http://www.pharmacy-buyer.com/">accessrx coupon</a><a href="http://www.pharmacy-buyer.com/">accessrx.com</a></font>

MediaTemple cleaned up for me and they are certain theres nothing they can do to prevent these attacks at script level and so im trying to understand how to protect my installations in the future. The best i could do was to insert this into my .htaccess file:

RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]

Any advice would be much appreciated.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Out of curiosity, what makes you sure it was a php injection attack as opposed to someone having a compromised PC with login info?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Cubix Web Solutions
Guru
 
Avatar
Total Posts:  318
Joined:  2009-07-01
LondON, United Kingdom
 

Sorry if it is a dumb question but how did they manage to change the contents of your index.php??

 
Magento Community Magento Community
Magento Community
Magento Community
 
brianadkins
Jr. Member
 
Total Posts:  2
Joined:  2009-09-30
 

Since it was the index.php and (presumably) your root folder .htaccess… that would point me to an ftp password stealer on the local machine… There’s a ton of that going around these days.

Does the process running your web server (www, etc.) have write access to those two files?  Usually injection attacks tend to drop files into folders where the www process has write access.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gavin Hall
Jr. Member
 
Avatar
Total Posts:  18
Joined:  2008-01-18
 
fr0x - 19 November 2009 02:56 PM

Out of curiosity, what makes you sure it was a php injection attack as opposed to someone having a compromised PC with login info?

Was informed by MediaTemple directly. They knew this from the server connection logs.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gavin Hall
Jr. Member
 
Avatar
Total Posts:  18
Joined:  2008-01-18
 
Cubix Web Solutions - 25 November 2009 05:39 AM

Sorry if it is a dumb question but how did they manage to change the contents of your index.php??

By forcing the server somehow into getting file permissions.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gavin Hall
Jr. Member
 
Avatar
Total Posts:  18
Joined:  2008-01-18
 
brianadkins - 25 November 2009 02:51 PM

Since it was the index.php and (presumably) your root folder .htaccess… that would point me to an ftp password stealer on the local machine… There’s a ton of that going around these days.

Does the process running your web server (www, etc.) have write access to those two files?  Usually injection attacks tend to drop files into folders where the www process has write access.

MediaTemple host it. As i understand the server folder structure has 777 permissions for the ‘html’ folder, the web root.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top